from the government-cannot-be-trusted-to-deploy-an-'honor-system' dept

It's 9 AM: do you know where your employees are? The GSA (Government Services Administration) doesn't. It thinks some are working from home, but can't really say for sure. It knows it has employees but it doesn't know who's at the office and who's telecommuting. Here are the findings from the Inspector General's report:

Finding 1 – GSA does not know the number of virtual employees it has, and some virtual employee work arrangements were not fully approved. Finding 2 – Travel costs related to virtual work arrangements were not assessed annually. Finding 3 – Official duty stations were incorrect for some virtual employees. Finding 4 – Virtual employee hours were not accurately reported. Finding 5 – GSA needs to improve controls over transit subsidies. Finding 6 – Many GSA teleworkers have not taken the required training.

The Government Accountability Office found that nearly everything about the GSA's teleworker tracking was faulty.

GSA policy (CPO IL-12-04) requires that the Office of the Chief People Officer (OCPO) maintain the master tracking of all GSA virtual employees and that all virtual work arrangements be reviewed annually. The OCPO maintains a list of virtual and satellite employees and whether they have approved work arrangements. At the time of our review, the list contained 454 names; however, the OCPO did not know whether the employees were virtual or satellite. In addition, the OCPO was uncertain of the accuracy of the list because it was based a manual data call.

For most entities, teleworkers represent a cost savings. Not so with the GSA.

Virtual employees incur reimbursable travel from their duty station to the Agency worksite to effectively perform their official duties and meet mission requirements. We reviewed fiscal years (FYs) 2012 and 2013 travel costs for the 57 employees who had submitted a GSA Form 3703. For 29 of the 57 virtual employees, actual travel costs to the Agency worksite exceeded the cost estimates reflected on the forms. For 13 employees, the actual costs were more than double the estimate.

In addition, the GAO found that the GSA's virtual workers were assigned to incorrect job stations or clocking in under the wrong job code -- a problem made worse by the agency's lack of a unique identifier for teleworkers.

The GSA, in response, has promised a full "policy update" and a very belated addition of a unique teleworker job code. Of course, this comes after years of hands-off management, and the very bureaucratic promise of an updated policy is still at least 90 days down the road.

The government -- like any other employer -- needs to keep close tabs on teleworkers. But especially the government. Who knows how many GSA employees are "working" from home like this infamous EPA employee?

[An] EPA manager [...] allowed an employee to stay at home and not report for duty for several years... [T]his EPA manager not only entered fraudulent time-and-attendance records for the absent employee but also approved the same fraudulent records. It is estimated that the manager's approval of fraudulent time-and-attendance records cost the government more than $500,000...

A half-million and 20 years "on the job" and nothing to show for it. Supervisors said this mostly-faux employee had "little work" to show for his years of service, but despite this, they still managed to give him "exemplary reviews" and pay raises. Of course, The Employee Who Wasn't There had an excuse for his nonperformance and $180,000 in travel reimbursements: he was in the CIA. No further questions were asked.

The government is supposed to be a good steward of the public's money. The GSA's inability (which borders on unwillingness) to properly track its telecommuting workers is the complete opposite of this ideal. In the GSA's inept hands, a money-saving option has led to excessive travel reimbursements and incorrect paychecks. The GAO's report points out the problems, but it's up to the GSA to fix them. As we've seen far too often, Inspector General reports routinely border on "scathing," but when the next inspection rolls around, the problems still exist. So, the GSA may be taking (tentative and bureaucratic) steps towards fixing this issue, but the smart money is on little-to-no change resulting from this report.

The news coverage on all of this has been a bit confusing, as there's a lot of back and forth with seriously conflicting claims, though Groklaw does a nice job trying to piece together the truth. In the end, it appears that a Justice Department official was confused, mainly because Google got FISMA approval for Google Apps Premiere, and then introduced a product subset of that, with additional security features, called Google Apps for Government. The DoJ seemed to assume that this meant there was no FISMA on the new offering, and Microsoft ran with it. However, as the GSA quickly made clear, it agrees with Google:

Google Apps for Government uses the Google Apps Premier infrastructure but adds additional controls in order to meet requirements requested by specific government agencies. The original FISMA certification remains intact while GSA works with Google to review the additional controls.

Of course, even the GSA seems a bit confused about all of this. While the above statement was the official position of the GSA, in a Senate hearing on the matter, a GSA official described it slightly differently:

"In July 2010, GSA did a FISMA security accreditation for 'Google Apps Premier.' That's what the Google product was called, and it passed our FISMA accreditation process. We actually did that so other agencies could use the Google product. If we do one accreditation, it's leveraged across many agencies. Since that time, Google has introduced what they're calling 'Google Apps for Government.' It's a subset of Google Apps Premier, and as soon as we found out about that, as with all other agencies, we have what you would normally do when a product changes, you re-certify it. So that's what we're doing right now, we're actually going through a re-certification based on those changes that Google has announced with the 'Apps for Government' product offering."

Leading to a bunch of headlines claiming that the GSA disagrees with Google. However, if you read both statements in context, you realize that it appears the GSA does, in fact, agree with Google. What the latter statement notes is that the new subset product needs to be re-certified, but nowhere does he say that it lost its ongoing certification. The official GSA statement above that confirms the initial certification remains intact.

In other words, nothing to see here. A lot of people got confused, but Google has the FISMA certification.

Oh, and an important sidenote in all of this: the Microsoft product which "won" the DoI bid does not have FISMA certification. Yes, you read that correctly. Microsoft is mocking Google for not having FISMA certification (which the product actually did have), while leaving out the bit about how their own product does not. In fact, the government's own filings in the case highlights that it's fine if Microsoft doesn't have FISMA certification now, because it can get it later:

Pursuant to FISMA, an agency may certify and accredit the security of an information system after testing its controls to ensure they work properly. In soliciting a private external cloud, DOI is requesting offerors to propose implementation of its pre-existing technology to meet DOI's specific needs. Accordingly, it follows that such a cloud cannot possibly obtain certification or accreditation because it has not yet been implemented to meet DOI's needs or actually tested. Thus, the lack of FISMA certification for DOI's personalized cloud is not a sign of lax security, as plaintiffs suggest; rather, it is a necessary step in acquiring a dedicated cloud.

In other words, no matter who wins, there will be customization done which will need re-certification... exactly as Google is having done now. In other words, there's no story here. None.

And yet, the Google haters came out quickly on this one. Not only did that Senate hearing happen almost immediately, but the group Consumer Watchdog, which seems to spend all its time coming up with bogus reasons to attack Google, rushed out a press release demanding a further investigation:

"Making misrepresentations to government agencies, particularly involving security clearance, again shows the arrogance of Google engineers, who give little respect to civil society and its accepted rules of conduct. We again urge your committee to hold hearings."

Except, of course, Google did not make misrepresentations to the government agencies. This has nothing to do with Google engineers -- arrogant or not. In fact, you could argue that Consumer Watchdog is actually "making misrepresentations to government agencies" with the letter it sent demanding an investigation.